From f70316dabe33296a615c6c592f3a3cafa71df2b2 Mon Sep 17 00:00:00 2001 From: Roger Zanoni Date: Mon, 13 Feb 2023 21:29:09 +0100 Subject: kuksa-val: Add root CA certificate to agl-driver nssdb This change is needed by chromium to fix the ERR_CERT_AUTHORITY_INVALID issued when trying to connect to kuksa.val server using a secure connection. chromium is shipped with a read-only database containing trusted CA certs and also uses a local nss database (stored on the user home directory) that can be managed by the nss command line tools. This change adds the kuksa root CA to agl-driver's nssdb that can be loaded by chromium and used to perform validation. v2 (jsmoeller): Use separate package for pki db in agl-driver home. Bug-AGL: SPEC-4599 Signed-off-by: Roger Zanoni Signed-off-by: Jan-Simon Moeller Change-Id: I074d48fedfadaddd9a894b478839e16fa4757b5e (cherry picked from commit 99356a43e5ee3ae662af83e4ae6e0e11ef1aa39e) --- recipes-connectivity/kuksa-val/kuksa-val_git.bb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb index 04f6f4f64..2c1966ff6 100644 --- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb +++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://../LICENSE;md5=2b42edef8fa55315f34f2370b4715ca9 \ file://3rd-party-libs/turtle/LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c \ file://3rd-party-libs/jwt-cpp/LICENSE;md5=8325a5ce4414c65ffdda392e0d96a9ff" -DEPENDS = "boost openssl mosquitto protobuf-native grpc-native grpc" +DEPENDS = "boost openssl mosquitto nss protobuf-native grpc-native grpc" require kuksa-val.inc @@ -77,6 +77,11 @@ do_install:append() { chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem } +pkg_postinst_ontarget:${PN}-client-certificates () { + certutil -A -d /home/agl-driver/.pki/nssdb -n "KuksaRootCA" -t "pC,," -i ${sysconfdir}/kuksa-val/CA.pem + chown agl-driver:agl-driver -R /home/agl-driver/.pki/ +} + # Put client certificates into their own package so we can avoid # duplicates of them for e.g. cluster clients. Longer term this # will need to be revisited. @@ -90,4 +95,4 @@ FILES:${PN}-client-certificates = " \ FILES:${PN} += "${systemd_system_unitdir} ${datadir}" -RDEPENDS:${PN} += "${PN}-client-certificates" +RDEPENDS:${PN} += "${PN}-client-certificates nss-agl-driver-db" -- cgit 1.2.3-korg